Firewall Technologies

Prepared by : Yousef Aburabie

Supervised By : Dr. Loai Tawalbeh
New York Institute of Technology (NYIT)-Jordans
campus-2006

Outline of Presentation

The Nature of Todays Attacker

Firewall Definition and History
What Firewalls Do and Cannot Do
Types of Firewalls
Firewall Architecture
Do You Need a Firewall
Selecting Firewall
Implementations
Conclusion

The Nature of Todays Attackers

Who are these hackers who are trying to break into your computer?
Most people imagine someone at a keyboard late at night, guessing
passwords to steal confidential data from a computer system.
This type of attack does happen, but it makes up a very small portion of the
total network attacks that occur.
Today, worms and viruses initiate the vast majority of attacks. Worms and
viruses generally find their targets randomly.
As a result, even organizations with little or no confidential information need
firewalls to protect their networks from these automated attackers.

What Is a Firewall ?

The term firewall has been around for quite some time and originally was
used to define a barrier constructed to prevent the spread of fire from one
part of a building or structure to another. Network firewalls provide a barrier
between networks that prevents or denies unwanted or unauthorized traffic.
Definition: A Network Firewall is a system or group of systems used to
control access between two networks -- a trusted network and an untrusted
network -- using pre-configured rules or filters.

What Is a Firewall ?

Device that provides secure connectivity between networks (internal/external;

varying levels of trust)
Used to implement and enforce a security policy for communication between
networks
Firewalls can either be hardware and/or software based.

Firewalls History

Firewall technology emerged in the late 1980s when the Internet was a fairly
new technology in terms of its global use and connectivity. The original idea
was formed in response to a number of major internet security breaches,
which occurred in the late 1980s.

Firewalls History

First generation - packet filters

The first paper published on firewall technology was in 1988, when Jeff Mogul
from Digital Equipment Corporatin (DEC) developed filter systems known as
packet filter firewalls.
Second generation - circuit level
From 1980-1990 two colleagues from AT&T Company, developed the second
generation of firewalls known as circuit level firewalls.
Third generation - application layer
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T
Laboratories described a third generation firewall. also known as proxy
based firewalls.

Firewalls History

Subsequent generations
In 1992, Bob Braden and Annette DeSchon at the University of Southren
California (USC) were developing their own fourth generation packet filter
firewall system.
In 1994 an Israeli company called Check Point Software Technologies built
this into readily available software known as FireWall-1.
Cisco, one of the largest internet security companies in the world released
their PIX Private Internet EXchange product to the public in 1997.

What Firewalls Do

Positive Effects
Negative Effects

What Firewalls Do (Positive Effects)

Positive Effects

User authentication.
Firewalls can be configured to require user authentication. This allows
network administrators to control ,track specific user activity.
Auditing and logging.
By configuring a firewall to log and audit activity, information may be kept
and analyzed at a later date.

What Firewalls Do (Positive Effects)

Anti-Spoofing - Detecting when the source of the network traffic is being

"spoofed", i.e., when an individual attempting to access a blocked service
alters the source address in the message so that the traffic is allowed.
Network Address Translation (NAT) - Changing the network addresses of
devices on any side of the firewall to hide their true addresses from devices
on other sides. There are two ways NAT is performed:

One-to-One - where each true address is translated to a unique translated

address.
Many-to-One - where all true addresses are translated to a single address, usually
that of the firewall.

What Firewalls Do (Positive Effects)

Virtual Private Networks

VPNs are communications sessions traversing public networks that have been
made virtually private through the use of encryption technology. VPN sessions
are defined by creating a firewall rule that requires encryption for any session
that meets specific criteria.

What Firewalls Do (Negative Effects)

Negative Effects
Although firewall solutions provide many benefits, negative effects may also
be experienced.

Traffic bottlenecks. By forcing all network traffic to pass through the firewall,
there is a greater chance that the network will become congested.

Single point of failure. In most configurations where firewalls are the only link
between networks, if they are not configured correctly or are unavailable, no traffic
will be allowed through.

What Firewalls Do (Negative Effects)

Increased management responsibilities. A firewall often adds to network

management responsibilities and makes network troubleshooting more complex.

What Firewalls Cannot Do

The most common misconception about firewalls is that they guarantee

security for your network.
A firewall cannot and does not guarantee that your network is 100% secure.
Firewalls cannot offer any protection against inside attacks. A high percentage
of security incidents today come from inside the trusted network.

What Firewalls Cannot Do

In most implementations, firewalls cannot provide protection against viruses

or malicious code. Since most firewalls do not inspect the payload or content
of the packet, they are not aware of any threat that may be contained inside.
Finally, no firewall can protect against inadequate or mismanaged policies.

How Firewalls Work

There are two security design logic approaches network firewalls use to make
access control decisions.

Everything not specifically permitted is denied.

Everything not specifically denied is permitted.

The one most often recommended is everything not specifically permitted is

denied.

How Firewalls Work

Basic TCP/IP Flow review

Types of Firewalls

Firewalls types can be categorized depending on:

The Function or methodology the firewall use

Whether the communication is being done between a single node and the network,
or between two or more networks.
Whether the communication state is being tracked at the firewall or not.

Types of Firewalls
1. By the Firewalls methodology :

Packet Filtering
Stateful Packet Inspection
Application Gateways/Proxies
Adaptive Proxies
Circuit Level Gateway

Packet Filtering Firewall

A packet filtering firewall does exactly what its name implies -- it filters
packets.
As each packet passes through the firewall, it is examined and information
contained in the header is compared to a pre-configured set of rules or filters.
An allow or deny decision is made based on the results of the comparison.
Each packet is examined individually without regard to other packets that are
part of the same connection.

Packet Filtering Firewall

Packet Filtering Firewall

Trusted
Network

Firewall
rule set

Packet is Blocked or Discarded

Untrusted
Network

Packet Filtering Firewall

A packet filtering firewall is often called a network layer firewall because the
filtering is primarily done at the network layer (layer three) or the transport
layer (layer four) of the OSI reference model.

Packet Filtering Firewall

You use packet filters to instruct a firewall to drop traffic that meets certain
criteria.
For example, you could create a filter that would drop all ping requests. You
can also configure filters with more complex exceptions to a rule.

Packet Filtering Firewall

Packet filtering rules or filters can be configured to allow or deny traffic based on
one or more of the following variables:

Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port

Packet Filtering
Strengths :

Packet filtering is typically faster than other packet screening methods.

Because packet filtering is done at the lower levels of the OSI model, the time
it takes to process a packet is much quicker.
Packet filtering firewalls can be implemented transparently. They typically
require no additional configuration for clients.
Packet filtering firewalls are typically less expensive. Many hardware devices
and software packages have packet filtering features included as part of their
standard package.

Packet Filtering
Weaknesses

Packet filtering firewalls allow a direct connection to be made between the

two endpoints. Although this type of packet screening is configured to allow
or deny traffic between two networks, the client/server model is never
broken.
Packet filtering firewalls are fast and typically have no impact on network
performance, but it's usually an all-or-nothing approach. If ports are open,
they are open to all traffic passing through that port, which in effect leaves a
security hole in your network.
Defining rules and filters on a packet filtering firewall can be a complex task.

Packet Filtering (Weaknesses)

Packet filtering firewalls are prone to certain types of attacks. Since packet
inspection goes no deeper than the packet header information, There are
three common exploits to which packet filtering firewalls are susceptible.

These are IP spoofing

sending your data and faking a source address that the firewall will trust

ICMP Internet Control Message Protocol tunneling

ICMP tunneling allows a hacker to insert data into a legitimate ICMP packet.

Stateful Packet Inspection

Stateful packet inspection uses the same fundamental packet screening

technique that packet filtering does. In addition, it examines the packet
header information from the network layer of the OSI model to the
application layer to verify that the packet is part of a legitimate connection
and the protocols are behaving as expected.

Stateful Packet Inspection Firewall

As packets pass through the firewall, packet header information is examined
and fed into a dynamic state table where it is stored. The packets are
compared to pre-configured rules or filters and allow or deny decisions are
made based on the results of the comparison.
The data in the state table is then used to evaluate subsequent packets to
verify that they are part of the same connection.

Stateful Packet Inspection Firewall

This method can make decisions based on one or more of the following:

Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port
Connection state

Stateful Packet Inspection Firewall

The connection state is derived from information gathered in previous

packets.
It is an essential factor in making the decision for new communication
attempts.
Stateful packet inspection compares the packets against the rules or filters
and then checks the dynamic state table to verify that the packets are part of
a valid, established connection.
By having the ability to "remember" the status of a connection, this method
of packet screening is better equipped to guard against attacks than standard
packet filtering.

Stateful Packet Inspection Firewall

Trusted
Network

Packet is Blocked or Discarded

Untrusted
Network

Stateful Packet Inspection

Strengths :

Like packet filtering firewalls, have very little impact on network performance.
More secure than basic packet filtering firewalls. Because stateful packet
inspection digs deeper into the packet header information to determine the
connection state between endpoints.
Usually it have some logging capabilities. Logging can help identify and track
the different types of traffic that pass though the firewall.

Stateful Packet Inspection

Weaknesses

Like packet filtering, stateful packet inspection does not break the
client/server model and therefore allows a direct connection to be made
between the two endpoints
Rules and filters in this packet screening method can become complex, hard
to manage, prone to error and difficult to test.

Application Gateways/Proxies

The proxy plays middleman in all connection attempts.

The application gateway/proxy acts as an intermediary between the two

endpoints. This packet screening method actually breaks the client/server
model in that two connections are required: one from the source to the
gateway/proxy and one from the gateway/proxy to the destination. Each
endpoint can only communicate with the other by going through the
gateway/proxy.

Application Gateways/Proxies

This type of firewall operates at the application level of the OSI model. For
source and destination endpoints to be able to communicate with each other,
a proxy service must be implemented for each application protocol.
The gateways/proxies are carefully designed to be reliable and secure
because they are the only connection point between the two networks.

Application Gateways/Proxies

Application Gateways/Proxies
Firewall

When a client issues a request from the untrusted network, a connection is

established with the application gateway/proxy. The proxy determines if the
request is valid (by comparing it to any rules or filters) and then sends a new
request on behalf of the client to the destination. By using this method, a
direct connection is never made from the trusted network to the untrusted
network and the request appears to have originated from the application
gateway/proxy.

Application
Gateway (Proxy
service)
Work Station

Untrusted
Network

Application Gateways/Proxies
Firewall

The response is sent back to the application gateway/proxy, which

determines if it is valid and then sends it on to the client.
By breaking the client/server model, this type of firewall can effectively hide
the trusted network from the untrusted network.

It is important to note that the application gateway/proxy actually builds a

new request, only copying known acceptable commands before sending it on
to the destination.
Unlike packet filtering and stateful packet inspection, an application
gateway/proxy can see all aspects of the application layer so it can look for
more specific pieces of information

Application Gateways/Proxies
Strengths

Application gateways/proxies do not allow a direct connection to be made

between endpoints. They actually break the client/server model.
Typically have the best content filtering capabilities. Since they have the
ability to examine the payload of the packet, they are capable of making
decisions based on content.
Allow the network administrator to have more control over traffic passing
through the firewall. They can permit or deny specific applications or specific
features of an application.

Application Gateways/Proxies
Weaknesses

The most significant weakness is the impact they can have on performance.
it requires more processing power and has the potential to become a
bottleneck for the network.
Typically require additional client configuration. Clients on the network may
require specialized software or configuration changes to be able to connect to
the application gateway/proxy.

Adaptive Proxies

Known as dynamic proxies

Developed as an enhanced form of application gateways/proxies. Combining
the merits of both application gateways/proxies and packet filtering

Circuit-level Gateway

Unlike a packet filtering firewall, a circuit-level gateway does not examine

individual packets. Instead, circuit-level gateways monitor TCP or UDP
sessions.
Once a session has been established, it leaves the port open to allow all
other packets belonging to that session to pass. The port is closed when the
session is terminated.
circuit-level gateways operate at the transport layer (layer 4) of the OSI
model.

Types of Firewalls
2. With regard to the scope of filtered communications the done
between a single node and the network, or between two or more
networks there exist :

Personal Firewalls, a software application which normally filters traffic entering or

leaving a single computer.
Network firewalls, normally running on a dedicated network device or computer
positioned on the boundary of two or more networks.

Types of Firewalls
3. Finally, Types depending on whether the firewalls keeps track of the
state of network connections or treats each packet in isolation, two
additional categories of firewalls exist:

Stateful firewall
Stateless firewall

Types of Firewalls
Stateful firewall
keeps track of the state of network connections (such as TCP streams)
traveling across it.
Stateful firewall is able to hold in memory significant attributes of each
connection, from start to finish. These attributes, which are collectively
known as the state of the connection, may include such details as the IP
addresses and ports involved in the connection and the sequence
numbers of the packets traversing the connection.

Types of Firewalls
Stateless firewall
Treats each network frame (Packet) in isolation. Such a firewall has no
way of knowing if any given packet is part of an existing connection, is
trying to establish a new connection, or is just a rogue packet.
The classic example is the File Transfer Protocol, because by design it
opens new connections to random ports.

Firewall Architecture

Since firewall solutions can be configured using a single system or multiple

systems, the architecture used to implement the solution can be simple or
complex.

Packet Filtering Router

Screened Host (Bastion Host)
Dual-homed Gateway
Screened Subnet or Demilitarized Zone (DMZ)
Firewall Appliance

Packet Filtering Router

A packet filtering router is a router configured to screen packets between two

networks. It routes traffic between the two networks and uses packet filtering
rules to permit or deny traffic.

Trusted
Network

Untrusted
Network
Filtering Router

Screened Host (Bastion Host)

Router provides packet filters for some basic services

Bastion host proxies more risky services
Not suitable for exporting services

Screened Host (Bastion Host)

Dual-homed Gateway

A dual-homed gateway firewall consists of a highly secured host system

running proxy software It has two network interfaces, one on each side of the
firewall . Only gateways or proxies for the services that are considered
essential are installed on the system.

Screened Subnet or Demilitarized

Zone (DMZ)

Created between two packet filtering routers.

The exterior router is the only connection between the enterprise network and the
outside world
The interior router does the bulk of the access control work. It filters packets
The bastion host is a secure server. It provides an interconnection point between the
enterprise network and the outside world for the restricted services
The perimeter network connects the servers together and connects the exterior router to
the interior router

Do you need a firewall?

The decision to implement a firewall solution should not be made without

doing some research and analysis.
What does the firewall need to control or protect?
In order to make a sound decision, first identify what functions the firewall
would need to perform. Will it control access to and from the network, or will
it protect services and users?

What would the firewall control?

Access
Access
Access
Access
Access

into the network

out of the network
between internal networks, departments, or buildings
for specific groups, users or addresses
to specific resources or services

Do you need a firewall?

What would it need to protect?

Specific machines or networks

Specific services
Information - private or public
Users

Do you need a firewall?

What impact will a firewall have on your organization,

network and users?

What resources will be required to implement and maintain a firewall solution?

Who will do the work? Are experienced technical personnel available for the job or
will someone need to be hired from outside your organization?
Is hardware available that meets the requirements to support a firewall solution?
Will existing services be able to function through a firewall?
What will the financial impact be on the organization? (Financial impact should
include initial implementation costs, ongoing maintenance and upgrades, hardware
and software costs, and technical support costs, whether the support is provided inhouse or from an outside source.)

Selecting Firewall Solution

In order to pick the best architecture and packet screening method
for a firewall solution, the following questions should be
considered:

What does the firewall need to do?

What additional services would be desirable?

How will it fit in the existing network?

How will it effect existing services and users?

Security Policy
The success of any firewall solution's implementation is directly related to the
existence of a well-thought-out and consistently-implemented security policy.
Some of the topics a security policy may address are:

Administrative Issues

User access - Which users will be allowed access to and from the network?
Access to services - Which services will be allowed in and out of the network?
Access to resources - Which resources will be available to users?
User authentication - Will the organization require user authentication?
Logging and auditing - Will the organization want to keep log and audit files.
Policy violation consequences - What will be the consequences of policy violation?
Responsibilities - Who will oversee and administer the security policy? Who has final
authority on decisions?

Security Policy

Technical Issues

Remote access - Will the organization allow remote access to the network?

Physical security - How will physical security of machines, one of the most obvious
security elements that is often overlooked, be achieve?

Virus protection - How will the organization handle virus protection?

Implementations

Software

Devil-Linux
Dotdefender
ipfirewall
PF
Symantec

Hardware

Cisco PIX
DataPower
SofaWare Technologies

Conclusion

Dont make the mistake of thinking that no one will attack your network,
because with the rise in automated attack tools, your network is as much at
risk as every other network on the Internet.
The need for firewalls has led to their ubiquity. Nearly every organization
connected to the Internet has installed some sort of firewall.

When choosing and implementing a firewall solution, make a decision based

on the organization's needs, security policy, technical analysis, and financial
resources. Solutions available today utilize different types of equipment,
network configurations, and software.

Q&A
Questions ?